The official act of implementing safeguards to protect personal health information, also known as PHI, has been in place for over 20 years with the Health Insurance Portability and Accountability Act of 1996. Since then, the HIPAA Privacy Rule and the HIPAA Security Rule have been used to not only protect physical patient information, but also information stored electronically. With more health organizations turning to electronic methods of storing patient data, ordering treatments and reviewing lab results, the ability to prove HIPAA compliance has become more important than ever. While it is vital to understand all of the details written in the act itself, here are five basic areas you need to know and understand in order to get a strong start toward HIPAA compliance.
When determining whether the HIPAA rule applies to your organization, you must determine whether PHI is used, transmitted, or stored in your organization’s environment. If PHI is in fact handled by your organization, then the HIPAA rule could apply to you. You must also determine how the ePHI flows within the organization’s system boundaries and if the data is ever transmitted to a third party.
There are two different types of organizations in which the HIPAA rule applies: Covered Entities and business associates. According to the U.S. Department of Health & Human Services, a covered entity is one of the following:
A business associate is, according to the U.S. Department of Health and Human Services, “any person or entity that performs certain functions or activities to that involve the use or disclosure of protected health information on behalf of, or provides services to a covered entity. Examples of business associates are, but not limited to, data centers, claims processing, data analysis, or processing. HIPAA was updated with the Health Information Technology for Economic and Clinical Health (HITECH) Act which provided more technical requirements and extended HIPAA Rules to business associates. More recently in 2013 the “Omnibus Rule” was passed that even extended the liability of a breach to the business associate.
It is critical for organizations to first perform a risk assessment over its systems to identify all risks of a data breach within the organization. The risk assessment must be documented and revised on a periodic basis. It’s not enough to say your organization protects PHI; you must be able to prove it through documentation. Every organization needs to write down the steps they plan to take to ensure PHI is protected on site and online. This means documenting who has access to what and why, the type of software security used, and what happens when a breach in security is detected. This is essentially creating a security plan that you can show to any compliance auditor and regulators.
Creating a security policy and implementing procedures only keeps information safe if the employees are aware of the security procedures. It’s difficult to understand policies and procedures if no one knows what they are. Although it is likely that security procedures and policies will be updated regularly, it is important that employees are properly trained on the most current standards. All training should be carefully documented so you can prove at any time that the employees were aware of the most current security measures.
Data security breaches are costly. It makes financial sense for an organization to spend money on securing data rather than pay damages resulting from a security breach. HIPAA fines are based on the level of negligence by the organization. The fines can range anywhere from $100 to $50,000 per record (or violation), capped at $1.5 million per year for each identical infraction. These costs don’t even include the reputation and legal costs associated with a breach. Implementing security measures is just one step in protecting data. You also need to regularly test these security measures in order to identify and shore up weak points. Compliance auditors will want to see exactly what you are doing to maintain data protection, so keeping reports is important. Document every test on your security and what your organization does to strengthen any weak spots.
In spite of all of the measures your organization takes to keep PHI safe, breaches can and do occur. What will you do when this happens? How will you stop the leak of data? Who is responsible for what? You still need to plan on what to do when a security breach does happen. Map out the role of each employee, what to do in the event of a security breach and how to minimize the damages. Be sure to have this all in writing and maintain documentation of the tests performed over the plan.
If you don’t know who is able to access the information, it’s difficult to keep that information safe. Safeguards are necessary in order to take action against the abuse of access to information or a misuse of privileges. How does your organization determine who has direct access to patient records? What sort of authentication is required in order to see the physical records or access data in the ePHI network? You need to be able to show these safeguards as well as explain what happens when abuse or misuse is detected.
You don’t need to wade through the legal jargon to understand that a large part of HIPAA compliance is doing everything within your power to safeguard the PHI with which you are entrusted. Being able to document your plans and actions is likely to help you in becoming compliant. Contact Barr Assurance & Advisory, Inc. to learn more about HIPAA compliance and risk assessment.